F5 BIG-IP Access Policy Manager (APM) Identity-based steering with SSL Orchestrator (SSLO)


Having the power of F5 Access Policy Manager (APM) as an Identity Aware Proxy and F5 SSLO allows to have a flexible organization-wide secure access layer.

Using F5 APM to authenticate access to SSLO was discussed in a previous article by Kevin_Stewart SSL Orchestrator Advanced Use Cases: Inbound Authentication , In this article we are going to assume company ABC need to have different SSLO topologies for different organzation functions,

  • User Authenticate through F5 APM.
  • F5 APM then query user identity to fetch its group.
  • Then F5 APM assigns the proper pool (SSLO Topology Pool) to this user (or Group).

Lab preparations

In our lab we are using the below features,

  • F5 SSLO v17.1 forwards traffic to F5 AWAF in the inspection zone. 

Note, In case you are using F5 SSLO older than v17.1 and want to integrate F5 AWAF, you may need to check this WAFaaS with SSLO  by KevinGallaugher  

  • F5 APM v16.1.2 , the features we are using for APM in our lab can be used with older and newer versions as well.
  • In our lab, we are assuming F5 APM and F5 SSLO are on different devices (this can be two VEs, two vCMPs, or two tenants on the same rSeries).

Note, In case you are using the same box for F5 APM and F5 SSLO, you may need to use a VIP targetting iRule similar to the below one using the required ACCESS::session variables based on the condition you need to apply.



set user [ACCESS::session data get "session.logon.last.username"]
if { $user contains "user2"} {
      virtual "/Common/vs_myapp_top1"
}else {
virtual "/Common/vs_myapp_top2"




Lab walkthrough

  • Traffic is initiated from users towards APM VS.
  • F5 APM authenticate user and query AD group.
  • F5 APM then assigns pool (F5 SSLO Topology) per condition. 
  • F5 SSLO Topology VS receives the traffic, forwards it to the AWAF and then pass it to the backend application.

F5 APM Configurations

  • Configure Access Policy to authenticate users and build conditions based on their identities,

  • SSLO TOP1 / SSLO TOP2 represent the pools pointing the traffic to the SSLO VS

  • In case, you have both APM / SSLO on the same device,
    • You will add Ending Allow right after AD_Query, without further branches.
    • You will use the iRule mentioned in the lab preparation section after updating it using the proper ACCESS::session variables based on the required access conditions.

F5 SSLO Configurations

In our lab we are using F5 Advanced Web Application Firewall (AWAF) service in the service chain, other SSLO configurations options can be found here https://clouddocs.f5.com/sslo-deployment-guide/

In the lab we are using F5 SSLO Existing Application topology. other topologies can be used as well, just make sure F5 SSLO forwards traffic to application pool.

Related Content

Published Apr 12, 2023
Version 1.0

Was this article helpful?

No CommentsBe the first to comment